Protect Your Industrial Networks from Edge to Cloud

The widespread adoption of the IIoT is resulting in more and more devices being brought online. While industry operators are keen to reap the benefits of digitizing automation, they are also faced with the increased risks that accompany this trend. For example, the fact that the network is isolated does not always mean that it is secure. As more devices become connected, the attack surface also increases, which makes networks more vulnerable to cyberattacks and unauthorized access. This lack of awareness about security issues can have serious consequences. For example, it only takes a very small cybersecurity breach to corrupt or delete a large amount of data, which can lead to significant production losses. Moxa helps users address the challenges they may encounter and build cybersecurity solutions that bring value to all industrial automation players.

To understand more details about Moxa’s edge-to-cloud solutions, download the white paper.

Cybersecurity Challenges for Industrial Networks

Lack of Guidelines for Deploying Hardened Network Devices

One of the most common misunderstandings is that all cybersecurity risks can be mitigated as long as firewalls are deployed; the security features in network devices also play a key role in building the defense-in-depth security architecture. In the past, OT operators did not deploy hardened networks and did not have any clear guidelines to follow, which further convoluted the implementation of cybersecurity solutions.

Lack of Cybersecurity Awareness when Designing Network Architecture

Industrial Control System (ICS) networks used to be isolated and used air-gap protection to keep secure networks separate from unsecured networks. Even though industrial networks are continuing to connect more devices, most OT operators still rarely take cybersecurity defense into consideration. Due to the number of cyberattacks targeting the critical manufacturing sector, it is clear that ICS networks are at high risk of attack.

Lack of Security Management Principles and Monitoring Tools

Human error is reported to be the leading cause of why networks are subjected to cyberattacks (37%); human error is a frequent cause because security management principles are often ignored. In order to adhere to the principles of security management, OT operators must constantly monitor the network. However, constant monitoring is considered by many in the industry to be troublesome, as it requires staff with specialized knowledge and and is time-consuming.

Defined Policies and Security Management

Moxa's products are developed around the four principles for security management: access and identity management, device management, system management, and configuration management. Moxa also provides MXview and MXconfig management software for wired and wireless networks.

Defense-in-Depth Cybersecurity for IACS Networks

Moxa provides a defense-in-depth framework with a wide variety of cybersecurity building blocks, which include industrial secure routers, VPNs, and remote access solutions tailored for industrial automation. Moxa helps system integrators deploy cybersecurity that is compliant with the defense-in-depth approach.

Defense-in-Depth Solutions for Industrial Networks

Defense-in-Depth Security Architecture

Segment networks to secure communications between components in different automation zones and cells.
View the security architecture here.

Network Segmentation for Zone and Cell Protection

The defense-in-depth security architecture divides the ICS network into protected individual zones and cells. The communication in each zone or cell is secured by firewalls, which further reduces the chance that the entire ICS network will fall victim to a cyberattack. Moxa's EDR Series consists of industrial secure routers that help operators provide zone and cell protection by using a transparent firewall that protects control networks and critical devices such as PLCs and RTUs against unauthorized access. By using this solution, there is no need to reconfigure network settings, which makes deployment faster and easier. The EDR-810 Series supports Moxa’s Turbo Ring redundancy technologies, which makes the deployment of network segmentation more flexible and economical. Moreover, Moxa’s Ethernet switches can create a virtual LAN (VLAN) to decompose each of the ICS domains into smaller networks that isolate traffic from other VLANs.

Learn How to Choose the Right Industrial Firewall: The Top 7 Considerations

Identify and scrutinize traffic between zones within the ICS network. View the security architecture here.

Traffic Control for Interaction Between Zones

Traffic passing between zones in an ICS network must be scrutinized in order to enhance security. There are several ways to implement this. One method is to have data exchanged via a DMZ, where the data server is accessible between the secure ICS network and insecure networks without a direct connection. Moxa's EDR-G903 Series can help achieve secure traffic control by utilizing user-specific firewall rules. The second method is for the EDR routers to perform deep Modbus TCP inspection by using PacketGuard to control actions and enhance traffic control. This method simplifies administration tasks and can protect against unwanted traffic from one network to another. In addition to firewalls, an Access Control List can be used to filter switches’ ingress packets by IP address or local IP, which allows network administrators to secure networks by controlling access to devices or parts of the network.

Secure Remote Access to the ICS Network

There are currently two solutions available to deal with the main requirements for secure remote access to applications. For constant connections, standard VPN tunnels are recommended. Moxa's EDR Series can use IPsec, L2TP over IPsec, or OpenVPN to set up encrypted IPsec VPN tunnels or OpenVPN clients. These methods protect data from being manipulated when it is being transmitted and ensure secure remote access between industrial networks and remote applications. Alternatively, if remote access is only required to be accessible on demand to specific machines or sensitive areas, then a management platform for all remote connections is required.